Thanks for a very informative article and interesting discussion. I will reread several times as head spins more slowly... For now, I have a question.

a VPN service on your computer encrypts the data, sends it over via the Internet to the destination VPN server

Suppose I'm connecting to a bank over hotel wifi, and I don't care who knows; of course, I don't want anyone to see my data. If the connection is https and the certificate checks out, then am I correct in thinking that a VPN adds little in terms of data security (tunnel within a tunnel)?

@wognath: In such a case, the VPN-as-a-proxy or secure web proxy would not really offer you much in terms of privacy. Yes, without it, other hotel guests (and the hotel, and governments) could see that your IP is connecting to the bank website, and they could therefore assume (correctly) that you have a bank account there. But maybe you choose not to care, so in such cases, HTTPS is enough.

Of course, if the bank insists on only allowing you to connect from [country] and you are in [another country], then a VPN-as-a-proxy or an anonymising secure web proxy could allow you to connect via [country] and allow the website to work, so there is a functional benefit if needed.

@morg42: It really doesn't matter whether or not the WiFi is encrypted (after all, other guests are already using the same network as you and can normally see the same traffic). If you are using an insecure connection to a website, then an attacker can always intercept the connection. A VPN doesn't prevent that. It just means that the attacker needs to sit somewhere along the connection between the VPN and the website (see the diagrams above), rather than snooping on the WiFi. The most serious attackers are the ones operating at a national level or hosting provider level, not the ones on your WiFi.

Certificates cannot be manipulated unless the manipulator has access to a signing certificate which is trusted by your system (if they have that access, the entire trust system breaks down, and no connections are safe, with or without a VPN).

@dragon-sails2 In short there's an increased "ping" time when using WebRTC because the IP is not broadcast so it has to request it, but it's more of an overhead than a constant operation. Meaning it will start slower, but again, it's just when using WebRTC that very few sites use.

But broadcasting leaks your real IP if you are under a VPN, so it has to be disabled on VPNs.

@rafiki
Hi, first start with a private window as all extensions are disabled there.
If it work it is one of your extensions.
Get back to default window and disable all extensions, better delete them but is may a lot of work.
Enable extensions ono v´by one.

@mib2berlin: Thank you. It was worth a try but my location is somehow still leaking out. I have been in discussion with my VPN provider and it's not certain that its the browser at all but perhaps my ISP. They are working on it, allegedly.